c17ba0ff3357d47d521f3e819595f6857e80a75c57f019fe28d72737aa15ba03

Analysis

max time kernel
216s
max time network
222s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2023, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nova pasta/Process_Hacker_-_Undetected.exe
Size

10.1MB
MD5

38aaf0d0974dabea141bb993cd4042e2
SHA1

7c13b69fb7c3bcce41c3f4bf425966eec987c017
SHA256

42ae95cd0808c7221b8a80cc4fc01c69cceac2b72a6eed95e2c04d563be55a56
SHA512

e80c046e0413b3a8ec748e44452833d2ce9de0b22a95dbaac5ffb4552af922f539a65ce3b6430c303913814a718835cfdeed5d49b4cd831984b1f5c6c7beaedb
SSDEEP

196608:jc9vfisVBb9mvOa3IzRvTj7GGnplRfq0aC2b/9MOE4JFnAzfAFlJ80NntBna2BYI:I9vfRetO37GGnpzfACfQnAzw/va2Xt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4896	ph.dat
4048	evbCA56.tmp

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral3/memory/4896-25-0x00007FF6CEE20000-0x00007FF6CFBCD000-memory.dmp	autoit_exe
behavioral3/memory/4896-26-0x00007FF6CEE20000-0x00007FF6CFBCD000-memory.dmp	autoit_exe
behavioral3/memory/4896-27-0x00007FF6CEE20000-0x00007FF6CFBCD000-memory.dmp	autoit_exe
behavioral3/memory/4896-28-0x00007FF6CEE20000-0x00007FF6CFBCD000-memory.dmp	autoit_exe
behavioral3/memory/4896-47-0x00007FF6CEE20000-0x00007FF6CFBCD000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs

pid	Process
1460	Process_Hacker_-_Undetected.exe
4896	ph.dat
4896	ph.dat
1460	Process_Hacker_-_Undetected.exe
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4896 set thread context of 4048	4896	ph.dat	89

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	evbCA56.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	evbCA56.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	evbCA56.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	evbCA56.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	evbCA56.tmp

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1460	Process_Hacker_-_Undetected.exe
1460	Process_Hacker_-_Undetected.exe
1460	Process_Hacker_-_Undetected.exe
1460	Process_Hacker_-_Undetected.exe
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4048	evbCA56.tmp

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4048	evbCA56.tmp
Token: SeIncBasePriorityPrivilege	4048	evbCA56.tmp
Token: 33	4048	evbCA56.tmp
Token: SeLoadDriverPrivilege	4048	evbCA56.tmp
Token: SeProfSingleProcessPrivilege	4048	evbCA56.tmp
Token: SeRestorePrivilege	4048	evbCA56.tmp
Token: SeShutdownPrivilege	4048	evbCA56.tmp
Token: SeTakeOwnershipPrivilege	4048	evbCA56.tmp

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4896	ph.dat
4896	ph.dat
4896	ph.dat
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4896	ph.dat
4896	ph.dat
4896	ph.dat
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp
4048	evbCA56.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1460	Process_Hacker_-_Undetected.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 4896	1460	Process_Hacker_-_Undetected.exe	88
PID 1460 wrote to memory of 4896	1460	Process_Hacker_-_Undetected.exe	88
PID 4896 wrote to memory of 4048	4896	ph.dat	89
PID 4896 wrote to memory of 4048	4896	ph.dat	89
PID 4896 wrote to memory of 4048	4896	ph.dat	89
PID 4896 wrote to memory of 4048	4896	ph.dat	89
PID 4896 wrote to memory of 4048	4896	ph.dat	89
PID 4896 wrote to memory of 4048	4896	ph.dat	89
PID 4896 wrote to memory of 4048	4896	ph.dat	89
PID 4896 wrote to memory of 4048	4896	ph.dat	89
PID 4896 wrote to memory of 4048	4896	ph.dat	89
PID 4896 wrote to memory of 4048	4896	ph.dat	89
PID 4896 wrote to memory of 4048	4896	ph.dat	89
PID 4896 wrote to memory of 4048	4896	ph.dat	89
PID 4896 wrote to memory of 4048	4896	ph.dat	89
PID 4896 wrote to memory of 4048	4896	ph.dat	89
PID 4896 wrote to memory of 4048	4896	ph.dat	89

C:\Users\Admin\AppData\Local\Temp\Nova pasta\Process_Hacker_-_Undetected.exe
"C:\Users\Admin\AppData\Local\Temp\Nova pasta\Process_Hacker_-_Undetected.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\Nova pasta\ph.dat
  "C:\Users\Admin\AppData\Local\Temp\Nova pasta\ph.dat"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\evbCA56.tmp
    "C:\Users\Admin\AppData\Local\Temp\Nova pasta\87675643324.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\80EB2F5C

Filesize
14B

MD5
33c7088a69d5b0df397408286608762a

SHA1
c2d9477d58549d2c3e60f469f49d3f6d0b1b1a41

SHA256
1e94329a83b6ebccc85020c37797422a416d1b459c04fd256a6e05a45093fca9

SHA512
7ceac70bf1d06ba1eab310f8958026a19c0a4b76fdacc1843481e9c43d5e7016580d00e262a2a7de3fd18b22c628ca39cac18a15949ad85ae72237f0d818c4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nova pasta\ph.dat

Filesize
7.2MB

MD5
4a0a94325f1a9b6274638d8c59978357

SHA1
10c568775f333c6ce5ac598696c91e9c22c40292

SHA256
e73c3125b302479216e5519456fabffabc5120287ef1cabc3b05b1a6dc9f9187

SHA512
0e8022487ec79c689ee26eb1aae205407bdb16cb54c8ce26b0a532fc8718c8a40e7df8ea75757ab000aac2d64854bb9fb0bc9b090caf06f3a97d9144c1001611

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbCA56.tmp

Filesize
1KB

MD5
7656680b3a8f608a25173e28875348cc

SHA1
9d5e137f66663cbc4ca54d52d7ff0db039e6b9ea

SHA256
f628da7fdab49d4f3a6789f1536a24de17bfb6f38d7a54f164bd1cb41e464d07

SHA512
49111b57082b6889c55f264056f6bb0dd78dd880e93fce3bb6acc35dab59eba41a13c3666f6a2400c566b9985472e4d55e9b0571401216152e33150eafc34bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbCA56.tmp

Filesize
1KB

MD5
7656680b3a8f608a25173e28875348cc

SHA1
9d5e137f66663cbc4ca54d52d7ff0db039e6b9ea

SHA256
f628da7fdab49d4f3a6789f1536a24de17bfb6f38d7a54f164bd1cb41e464d07

SHA512
49111b57082b6889c55f264056f6bb0dd78dd880e93fce3bb6acc35dab59eba41a13c3666f6a2400c566b9985472e4d55e9b0571401216152e33150eafc34bb7

Download Submit
C:\Users\Admin\Pictures\ibif.jy

Filesize
32B

MD5
7820b6b8eb5bfbdcaeb419a65a402c6c

SHA1
37ab0bf2dcccfba042e85ac3ae5aae0b7d317753

SHA256
2f304a7cff0f71068da2a4b05f7369a455161f0fbfe479ef57180b14d83bde37

SHA512
03c0eca2fa6b024130331942147e8b188fc830fcf3cca9ebb81698f39e6d3220e4625d20c2eeac0874de3655abd35cae2c367a37c2dd7594717b688bc12b7c0a

Download Submit
\??\c:\users\admin\appdata\local\temp\80EB2F5C

Filesize
14B

MD5
33c7088a69d5b0df397408286608762a

SHA1
c2d9477d58549d2c3e60f469f49d3f6d0b1b1a41

SHA256
1e94329a83b6ebccc85020c37797422a416d1b459c04fd256a6e05a45093fca9

SHA512
7ceac70bf1d06ba1eab310f8958026a19c0a4b76fdacc1843481e9c43d5e7016580d00e262a2a7de3fd18b22c628ca39cac18a15949ad85ae72237f0d818c4d7

Download Submit
\??\c:\users\admin\appdata\local\temp\80EB2F5C

Filesize
14B

MD5
33c7088a69d5b0df397408286608762a

SHA1
c2d9477d58549d2c3e60f469f49d3f6d0b1b1a41

SHA256
1e94329a83b6ebccc85020c37797422a416d1b459c04fd256a6e05a45093fca9

SHA512
7ceac70bf1d06ba1eab310f8958026a19c0a4b76fdacc1843481e9c43d5e7016580d00e262a2a7de3fd18b22c628ca39cac18a15949ad85ae72237f0d818c4d7

Download Submit
\??\c:\users\admin\appdata\local\temp\nova pasta\ph.dat

Filesize
7.2MB

MD5
4a0a94325f1a9b6274638d8c59978357

SHA1
10c568775f333c6ce5ac598696c91e9c22c40292

SHA256
e73c3125b302479216e5519456fabffabc5120287ef1cabc3b05b1a6dc9f9187

SHA512
0e8022487ec79c689ee26eb1aae205407bdb16cb54c8ce26b0a532fc8718c8a40e7df8ea75757ab000aac2d64854bb9fb0bc9b090caf06f3a97d9144c1001611

Download Submit
\??\c:\users\admin\pictures\ibif.jy

Filesize
32B

MD5
7820b6b8eb5bfbdcaeb419a65a402c6c

SHA1
37ab0bf2dcccfba042e85ac3ae5aae0b7d317753

SHA256
2f304a7cff0f71068da2a4b05f7369a455161f0fbfe479ef57180b14d83bde37

SHA512
03c0eca2fa6b024130331942147e8b188fc830fcf3cca9ebb81698f39e6d3220e4625d20c2eeac0874de3655abd35cae2c367a37c2dd7594717b688bc12b7c0a

Download Submit
\??\c:\users\admin\pictures\ibif.jy

Filesize
32B

MD5
7820b6b8eb5bfbdcaeb419a65a402c6c

SHA1
37ab0bf2dcccfba042e85ac3ae5aae0b7d317753

SHA256
2f304a7cff0f71068da2a4b05f7369a455161f0fbfe479ef57180b14d83bde37

SHA512
03c0eca2fa6b024130331942147e8b188fc830fcf3cca9ebb81698f39e6d3220e4625d20c2eeac0874de3655abd35cae2c367a37c2dd7594717b688bc12b7c0a

Download Submit
memory/1460-4-0x0000000077443000-0x0000000077444000-memory.dmp

Filesize
4KB

Download
memory/1460-74-0x00000000FFA60000-0x00000000FFE31000-memory.dmp

Filesize
3.8MB

Download
memory/1460-60-0x0000000000400000-0x0000000000C81456-memory.dmp

Filesize
8.5MB

Download
memory/1460-0-0x0000000000400000-0x0000000000C81456-memory.dmp

Filesize
8.5MB

Download
memory/1460-3-0x0000000077442000-0x0000000077443000-memory.dmp

Filesize
4KB

Download
memory/1460-77-0x0000000000400000-0x0000000000C81456-memory.dmp

Filesize
8.5MB

Download
memory/1460-56-0x0000000000400000-0x0000000000C81456-memory.dmp

Filesize
8.5MB

Download
memory/1460-1-0x00000000FFA60000-0x00000000FFE31000-memory.dmp

Filesize
3.8MB

Download
memory/4048-81-0x00007FF4FDAB0000-0x00007FF4FDE81000-memory.dmp

Filesize
3.8MB

Download
memory/4048-75-0x00007FFFEB750000-0x00007FFFEB760000-memory.dmp

Filesize
64KB

Download
memory/4048-101-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-36-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/4048-100-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-42-0x0000000000050000-0x0000000000147000-memory.dmp

Filesize
988KB

Download
memory/4048-99-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-98-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-97-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-96-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-45-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-95-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-94-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-93-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-92-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-49-0x0000000000050000-0x0000000000147000-memory.dmp

Filesize
988KB

Download
memory/4048-52-0x0000000000050000-0x0000000000147000-memory.dmp

Filesize
988KB

Download
memory/4048-53-0x00007FFFEBE30000-0x00007FFFEC025000-memory.dmp

Filesize
2.0MB

Download
memory/4048-54-0x00007FFF6C030000-0x00007FFF6C040000-memory.dmp

Filesize
64KB

Download
memory/4048-55-0x00007FF4FDAB0000-0x00007FF4FDE81000-memory.dmp

Filesize
3.8MB

Download
memory/4048-91-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-90-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-89-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-88-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-87-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-70-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-71-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-72-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-73-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-86-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-85-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-76-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-84-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-78-0x0000000000050000-0x0000000000147000-memory.dmp

Filesize
988KB

Download
memory/4048-79-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-80-0x00007FFFEBE30000-0x00007FFFEC025000-memory.dmp

Filesize
2.0MB

Download
memory/4048-83-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4048-82-0x0000000140000000-0x0000000141063000-memory.dmp

Filesize
16.4MB

Download
memory/4896-29-0x00007FFFEBE30000-0x00007FFFEC025000-memory.dmp

Filesize
2.0MB

Download
memory/4896-47-0x00007FF6CEE20000-0x00007FF6CFBCD000-memory.dmp

Filesize
13.7MB

Download
memory/4896-33-0x00007FFFEBE30000-0x00007FFFEC025000-memory.dmp

Filesize
2.0MB

Download
memory/4896-48-0x00007FFFEBE30000-0x00007FFFEC025000-memory.dmp

Filesize
2.0MB

Download
memory/4896-25-0x00007FF6CEE20000-0x00007FF6CFBCD000-memory.dmp

Filesize
13.7MB

Download
memory/4896-26-0x00007FF6CEE20000-0x00007FF6CFBCD000-memory.dmp

Filesize
13.7MB

Download
memory/4896-27-0x00007FF6CEE20000-0x00007FF6CFBCD000-memory.dmp

Filesize
13.7MB

Download
memory/4896-28-0x00007FF6CEE20000-0x00007FF6CFBCD000-memory.dmp

Filesize
13.7MB

Download
memory/4896-23-0x00007FFFEBE30000-0x00007FFFEC025000-memory.dmp

Filesize
2.0MB

Download
memory/4896-14-0x00007FF6CEE20000-0x00007FF6CFBCD000-memory.dmp

Filesize
13.7MB

Download
memory/4896-24-0x00007FFFEBE30000-0x00007FFFEC025000-memory.dmp

Filesize
2.0MB

Download
memory/4896-35-0x00007FFFEBE30000-0x00007FFFEC025000-memory.dmp

Filesize
2.0MB

Download
memory/4896-37-0x00007FFFEBE30000-0x00007FFFEC025000-memory.dmp

Filesize
2.0MB

Download
memory/4896-30-0x00007FFFEBE30000-0x00007FFFEC025000-memory.dmp

Filesize
2.0MB

Download
memory/4896-44-0x00007FFFEB750000-0x00007FFFEB760000-memory.dmp

Filesize
64KB

Download
memory/4896-43-0x00007FF4748A0000-0x00007FF474C71000-memory.dmp

Filesize
3.8MB

Download
memory/4896-32-0x00007FFFEBE30000-0x00007FFFEC025000-memory.dmp

Filesize
2.0MB

Download
memory/4896-40-0x00007FFF6C030000-0x00007FFF6C040000-memory.dmp

Filesize
64KB

Download
memory/4896-34-0x00007FFFEBE30000-0x00007FFFEC025000-memory.dmp

Filesize
2.0MB

Download